Open Bug 261326 (bugz_anti-spam_meta) Opened 17 years ago Updated 5 years ago
Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs)
Fixing Bug 120030 improved the situation significantly, but as spam spiders improve, it may not be enough. This bug is for tracking other spam-prevention bugs: Bug 215439 - "Provide alternate method for bugzilla users to contact each other, prevent spam by not showing email addresses" Bug 218917 - "Allow login_name != email_address, so address isn't displayed (anti-spam effect too)" Bug 219021 - "Email addresses should only be displayed to logged in users" Bug 145499 - "Privacy for email addresses" Not directly related to Bugzilla, but also worth listing: Bug 184456 - "lxr.mozilla.org is a spammer's paradise" Prog.
Summary: [meta] Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs) → Bugzilla spam prevention (tracking anti-spam-spiders/harvesters bugs)
meta bugs depend on bugs, not block them.
Reassigning bugs that I'm not actively working on to the default component owner in order to try to make some sanity out of my personal buglist. This doesn't mean the bug isn't being dealt with, just that I'm not the one doing it. If you are dealing with this bug, please assign it to yourself.
Assignee: justdave → general
QA Contact: mattyt-bugzilla → default-qa
This bug and dependants should get a LOT more attention!!! More than 5 years later (and more for some dependent bugs), Bugzilla is still exposing personal email addresses to spammers with no way to change that harmful behaviour. I am getting more and more spam on my bugzilla (bmo) address. If I was a software developer looking for a bug tracking system, this bug alone would make me choose another product. It's a shame. Please do something about it, we really need complete email address privacy.
Severity: normal → critical
Depends on: 163551
Added to the list of dependent bugs (see comment 0): Bug 163551 - Implement complete email address privacy
(In reply to comment #4) Leave the severity of this bug alone. Bugzilla 3.4 is much better at preventing spam as it now hides email addresses for logged out users. The fact that you don't like this bug doesn't allow you to change its severity.
Severity: critical → normal
I think this bug is critical because it makes a security hole into the worlwide mail system.
(In reply to comment #6) "Bugzilla 3.4 is much better at preventing spam as it now hides email addresses for logged out users." Wrong ! If I were a spam harvester, I would create a bugzilla account, log in, make some simple comments to avoid detection of inactivity, read all the bugs in pseudo random order (to avoid detection) and harvest the email addresses... Most of the forums have a register page in which I enter a pseudo, my email address (for administrative functions as notifications of new posts, lost password, etc.) and a password. On each post that I write there is my pseudo (not the email address) and a Personal Message button (PM in short) that the reader can push to send me an email without knowing my address. Spamming with the PM button is dangerous because if I complain to the administrator the offender account will be revoked ! The pseudo is unique on the forum site because an already in data base pseudo is not accepted at registration time. I have the same pseudo on practically all the forums sites : so it is not difficult to remember it... Why do you not copy this coding and reinvent the wheel with a dozen of linked bugs ?
Slightly better : -If I am not logged the source of " Jean-Marie COUPRIE 2011-04-12 06:33:00 PDT " does not include my email address. This is good ! -If I am logged the source of " Jean-Marie COUPRIE 2011-04-12 06:33:00 PDT " include my email address. This is very bad ! As stated in my previous post comment 8 a UN-detected logged spam harvester has access to my mail. By the way I have the knowledge needed to write a script that log to bugzilla and read a bug report obtain its source and extract the emails... Also "CC List:" shows emails in clear text ! and can be extracted !
You need to log in before you can comment on or make changes to this bug.